{config, numbers, pkgs, lib, ...}:

with lib;

let
hasIface = iface: elem iface (numbers.api.hostIfaces config.networking.hostName);
strIfHasIface = iface: s: if hasIface iface then s else "";
attrsetIfHasIface = iface: as: if hasIface iface then as else {};
eltIfHasIface = iface: elt: if hasIface iface then [ elt ] else [];

nameservers = filter (x: x != "") [
    "127.0.0.1"
    (if config.networking.hostName != "snorlax" then (numbers.api.hostIface "snorlax" "sec0").ip else "")
    (if config.networking.hostName != "sobble" then (numbers.api.hostIface "sobble" "sec0").ip else "")
    (if config.networking.hostName != "rowlet" then (numbers.api.hostIface "rowlet" "sec0").ip else "")
  ];

in

{
  imports = [
    #./pgpool.nix
    ./udp514.nix
  ];

  services.udp514-journal.enable = true;
  services.coredns = {
    enable = true;
    config = ''
      . {
        ${strIfHasIface "sxxxxec0" "bind sec0"}
        ${strIfHasIface "xxxxlan0" "bind lan0"}
        nsid ${config.networking.hostName}
        forward . 172.16.1.8
        template IN A server.dns {
          answer "{{ .Name }} 0 IN A ${(numbers.api.hostIface config.networking.hostName "sec0").ip}"
        }
      }
    '';
  };
  services.resolved.enable = false;
  #networking.resolvconf.enable = false;

  environment.etc."resolv.conf".text = foldl'
    (a: s: if s == "" then a else "${a}nameserver ${s}\n")
    "" nameservers;
  networking.nameservers = nameservers;


  system.activationScripts."corenet-flux" = mkIf true ''
    ln -sf ${./corenet-flux.yaml} /var/lib/rancher/k3s/server/manifests/corenet-flux.yaml
  '';

  services.k3s = {
    enable = true;
    tokenFile = mkIf (config.networking.hostName != "snorlax") "/etc/k3s.token";
    serverAddr =
      mkIf (config.networking.hostName != "snorlax")
        "https://${(numbers.api.hostIface "snorlax" "sec0").ip}:6443";
    clusterInit = config.networking.hostName == "snorlax";
    extraFlags = (
    #" --datastore-endpoint=nats://localhost:4222?noEmbed=true&bucket=k0-kine&replicas=2"+
    " --disable=traefik"+
    " --disable=local-storage"+
    " --cluster-cidr=10.128.0.0/16"+
    " --service-cidr=10.129.0.0/16"+
    " --flannel-backend=vxlan"+
    " --embedded-registry"+
    (strIfHasIface "sec0" " --node-ip=${(numbers.api.hostIface config.networking.hostName "sec0").ip}")+
    #(strIfHasIface "lan0" " --tls-san=${(numbers.api.hostIface config.networking.hostName "lan0").ip}")+
    "");
  };

  environment.etc."rancher/k3s/registries.yaml".text = ''
    mirrors:
      "*":
  '';

  networking.firewall.allowedUDPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
  ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 5000; to = 32767; }
  ];
  networking.firewall.allowedTCPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
  ];
  networking.firewall.allowedTCPPortRanges = [
    { from = 5000; to = 32767; }
  ];
}